Skip to content

GitLab

Switch branch/tag
Find file BlameHistoryPermalink
  • David Horstmann's avatar
    fix(fdt): fix OOB write in uuid parsing function · d0d64245
    David Horstmann authored 
    
The function read_uuid() zeroes the UUID destination buffer
on error. However, it mistakenly uses the dest pointer
that has been incremented many times during the parsing,
leading to an out-of-bounds write.

To fix this, retain a pointer to the start of the buffer,
and use this when clearing it instead.
Signed-off-by: default avatarDavid Horstmann <david.horstmann@arm.com>
Change-Id: Iee8857be5d3f383ca2eab86cde99a43bf606f306
    d0d64245
uuid.c 2.41 KB
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 
/*
 * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
 *
 * SPDX-License-Identifier: BSD-3-Clause
 */

#include <assert.h>
#include <errno.h>
#include <stdint.h>
#include <string.h>

#include <common/debug.h>
#include <common/uuid.h>

/* Return the hex nibble value of a char */
static int8_t hex_val(char hex)
{
	int8_t val = 0;

	if ((hex >= '0') && (hex <= '9')) {
		val = (int8_t)(hex - '0');
	} else if ((hex >= 'a') && (hex <= 'f')) {
		val = (int8_t)(hex - 'a' + 0xa);
	} else if ((hex >= 'A') && (hex <= 'F')) {
		val = (int8_t)(hex - 'A' + 0xa);
	} else {
		val = -1;
	}

	return val;
}

/*
 * Read hex_src_len hex characters from hex_src, convert to bytes and
 * store in buffer pointed to by dest
 */
static int read_hex(uint8_t *dest, char *hex_src, unsigned int hex_src_len)
{
	int8_t nibble;
	uint8_t byte;

	/*
	 * The string length must be a multiple of 2 to represent an
	 * exact number of bytes.
	 */
	assert((hex_src_len % 2U) == 0U);

	for (unsigned int i = 0U; i < (hex_src_len / 2U); i++) {
		nibble = 0;
		byte = 0U;

		nibble = hex_val(hex_src[2U * i]);
		if (nibble < 0) {
			return -1;
		}
		byte = (uint8_t)nibble;
		byte <<= 4U;

		nibble = hex_val(hex_src[(2U * i) + 1U]);
		if (nibble < 0) {
			return -1;
		}
		byte |= (uint8_t)nibble;

		*dest = byte;
		dest++;
	}

	return 0;
}

/* Parse UUIDs of the form aabbccdd-eeff-4099-8877-665544332211 */
int read_uuid(uint8_t *dest, char *uuid)
{
	int err;
	uint8_t *dest_start = dest;

	/* Check that we have enough characters */
	if (strnlen(uuid, UUID_STRING_LENGTH) != UUID_STRING_LENGTH) {
		WARN("UUID string is too short\n");
		return -EINVAL;
	}

	/* aabbccdd */
	err = read_hex(dest, uuid, 8);
	uuid += 8;
	dest += 4;

	/* Check for '-' */
	err |= ((*uuid == '-') ? 0 : -1);
	uuid++;

	/* eeff */
	err |= read_hex(dest, uuid, 4);
	uuid += 4;
	dest += 2;

	/* Check for '-' */
	err |= ((*uuid == '-') ? 0 : -1);
	uuid++;

	/* 4099 */
	err |= read_hex(dest, uuid, 4);
	uuid += 4;
	dest += 2;

	/* Check for '-' */
	err |= ((*uuid == '-') ? 0 : -1);
	uuid++;

	/* 8877 */
	err |= read_hex(dest, uuid, 4);
	uuid += 4;
	dest += 2;

	/* Check for '-' */
	err |= ((*uuid == '-') ? 0 : -1);
	uuid++;

	/* 665544332211 */
	err |= read_hex(dest, uuid, 12);
	uuid += 12;
	dest += 6;

	if (err < 0) {
		WARN("Error parsing UUID\n");
		/* Clear the buffer on error */
		memset((void *)dest_start, '\0', UUID_BYTES_LENGTH * sizeof(uint8_t));
		return -EINVAL;
	}

	return 0;
}